On the information security calendar, this week is known by many as “hacker summer camp,” with a trio of security conferences ongoing: Black Hat USA, BSides LV and the DefCon.
The most enterprise-friendly event of the week is the annual Black Hat USA security conference, which is taking place at the Mandalay Bay in Las Vegas, with security researchers demonstrating the latest threats to critical infrastructure, servers, mobile and desktop operating systems, internet of things (IoT) and everything in between.
The main part of the conference is Black Hat Briefings, which runs July 26-27. This year there is only one keynote speech, which Facebook’s Chief Security Officer Alex Stamos will deliver. His topic will be “Stepping Up Our Game: Re-focusing the Security Community on Defense and Making Security Work for Everyone.” Stamos is no stranger to the Black Hat stage; in 2014, when he was the chief information security officer (CISO) of Yahoo, he spoke on a similar topic of how the security industry was failing to meet user needs.
Black Hat has long been the place where researchers choose to disclose and discuss some of the most impactful security risks. At this year’s event, researchers will detail multiple types of attacks against various forms of critical infrastructure. Jason Staggs, security researcher at the University of Tulsa, will detail how he was able to attack wind power stations in his talk titled “Adventures in Attacking Wind Farm Control Networks.”
Wind power isn’t the only type of critical infrastructure at risk. Security researchers from ESET and Dragos will provide more details about the CrashOveride/Industroyer attack that hit Ukraine last month. Not to be outdone, Ruben Santamarta, principal security consultant at IOActive, will detail vulnerabilities with radiation monitoring equipment used at nuclear power plants.
How to break various types of locks is an oft-repeated topic at Black Hat, and the 2017 edition of the event is no exception. Colin O’Flynn, CEO/CTO at NewAE Technology, will detail in a session how easy it is to bypass and hack modern consumer electronic locks.
Another popular topic of discussion at Black Hat USA events is the security of Apple’s software. It was at Black Hat USA 2007 where security researcher Charlie Miller publicly discussed the very first hack of Apple’s iPhone, which debuted that same year.
At Black Hat USA 2017, there are four talks planned where different elements of Apple security will be detailed. Alex Radocea, founder of Longterm Security, will detail flaws in Apple’s iCloud keychain that were fixed in iOS and macOS in March. Patrick Wardle, chief security researcher at Synack, will demonstrate his macOS security tools at the Arsenal tools display section of Black Hat and will also be presenting in a session where he will discuss the recent macOS Fruitfly malware.
Among the most impactful and widespread security vulnerabilities to be detailed at Black Hat USA 2017 is Broadpwn, a flaw in the widely deployed Broadcom WiFi chipset that affects hundreds of millions of mobile devices, including those running Android and iOS, as well as desktop macOS. Nitay Artenstein, vulnerability researcher at Exodus Intelligence, responsibly reported the Broadpwn vulnerabilities to the impacted vendors, and they have already patched the issue.
“Meet Broadpwn, a vulnerability in Broadcom’s Wi-Fi chipsets which affects millions of Android and iOS devices, and can be triggered remotely, without user interaction,” Artenstein’s session abstract states. “The Broadcom BCM43xx family of Wi-Fi chips is found in an extraordinarily wide range of mobile devices—from various iPhone models, to HTC, LG, Nexus and practically the full range of Samsung flagship devices.”
DefCon 25
The DefCon 25 hacker conference follows Black Hat USA; this year it has found a new home at Caesar’s Palace in Las Vegas and is running from July 27-30.
While Black Hat is organized around the traditional conference format of sessions in conference rooms, DefCon is organized around the concept of hacking villages, where users can learn about issues and try things out for themselves. Among the villages returning to DefCon this year are Car Hacking, Tamper-Evident, Crypto and Privacy, Social Engineer, IoT, Wireless, Lockpick and Packet Hacking.
New this year is the Voting Machine Hacking Village, which aims to provide insight and tools to test the security of voting machine hardware and software.
“The event comes as recent headlines reveal that a foreign adversary, Russia, targeted voter registration databases in dozens of states in 2016 and sought to infiltrate the networks of voting equipment vendors, local election boards, political parties and candidates, ” the Voting Village’s media advisory states.
While the Black Hat and DefCon events will reveal threats that will likely shock some, the purpose is not to make people afraid but rather to empower them to learn about what security issues exist and, more importantly, how to improve security overall.
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.